THE CHAIRMAN OF the Office of Public Works (OPW) said a decision by the agency to ban visitor books from its sites over data protection concerns “flew in the face of common sense”, internal correspondence has revealed.
Emails and text messages, seen by TheJournal.ie, show how senior OPW staff clashed over the decision to remove the books from Irish heritage sites.
The ban came to light last month, when sites including Dublin Castle, Kilmainham Gaol and Muckross House stopped using visitor books, with the OPW citing fears over data protection.
OPW officials made the decision in light of the introduction of the EU’s General Data Protection Regulation (GDPR).
Privacy experts said the move was excessive, and the ban was described as a “disproportionate approach” to data privacy by the Data Protection Commission.
The OPW later reviewed its decision and issued a statement to say the books would be restored, while clarifying that it had “erred on the side of caution”.
GDPR compliance circular
But although the controversy only came to light last month, documents released under the Freedom of Information Act show how the OPW’s Data Protection Officer Liam Kelly outlined why visitor books should be removed last December.
The order was one of several made by Kelly in a document later sent to staff in charge of heritage sites to ensure the OPW was compliant with GDPR.
The circular said:
Visitor books should no longer be used on sites, as they do not comply with GDPR.
By definition, visitor books process data in an insecure manner, as anyone can look at the data and some people write their full names and addresses.
Other instructions in the circular included requirements that OPW sites erect signage stating why CCTV was being used, and that visitors should pass at least two signs before they came into view of a camera.
The document was subsequently forwarded to staff at heritage sites on 2 January, and the visitor books were removed from some locations.
Further correspondence shows how, in addition to his concerns about data security, Kelly felt compelled to remove visitor books because the OPW did not have any use for them.
Following a press query about the removal of the books in July, he clarified why the decision had been taken, claiming that anyone using their phone could take a picture and copy the data of those who had signed them.
“The visitor books did not appear to have any useful purpose for the OPW, other than allowing visitors to record comments, as nothing was done regarding the comments they contain,” he said.
As GDPR requires a purpose for processing data, this was another reason for not collecting it in the first place.
In the same email, Kelly explained that some alternatives to the visitor book system had been proposed, including advice that visitors only gave partial details when signing the books, or that pages with a dark grey background to disguise information could be used instead.
However, he added that having visitors sign illegible pages was pointless and he suggested that there would still be a risk of a data breach if partial details were given.
Chairman emails staff
In response to the press query, the OPW formally issued advice to heritage sites instructing them to withdraw visitor books on 22 July.
The issue was reported in the media the following day, prompting OPW Chairman Maurice Buckley to contact two staff members – neither of whom sent the instructions – for information.
“Please advise who made the decision to remove visitor books from sites as reported… today and the circumstances behind the decision,” he said.
In an email to a third individual, one of the staff members whom Buckley emailed wrote: “This is gone f***ing insane at this stage! I’ll have to talk to him [Buckley]“.
Text messages between the two staff members later show how they sought to play down the impact of the controversy. One read:
Its getting zero public comment on social media. Only people on it are media and GDPR [professionals] so [there is a] tiny audience for this… this will be gone by tomorrow if we walk it back as discussed.
Advice to Ministers
Meanwhile, Buckley emailed Kelly and OPW press officer Brian Higgins to ask them to explain the former’s original advice about the visitor books.
Higgins also sought the input of the Chairman before sending advice to Government Ministers about the issue.
Buckley agreed that Kelly’s justification might be technically correct, but said the decision to remove the books “flies in the face of common sense and proportionality”.
He said:
To address a low-risk item like this is fine if we have fully addressed higher risk items like Health and Safety issues beforehand.
We leave ourselves very open to a ‘have you nothing better/bigger to be worried about’ accusation.
The Chairman also suggested waiting until the following day to consider the situation before Higgins sent advice to Ministers about the situation.
In response, Kelly reiterated his earlier claim to Higgins that the books served no purpose to the OPW.
“The real problem with the visitor books was that the Office did not use the visitor books for anything, so had no purpose for collecting the personal data in the first place,” he said.
“That taints the whole process with illegality. I can see the same hue and cry because someone’s data was lost… The GDPR does not provide a get-out because something is minor.”
Kelly also said that while it was unlikely that the agency would be fined if there was a data breach, he believed there was nothing to stop individuals taking legal action if this happened.
“Who told people that visitor books were banned anyway?” he added. “All they had to do was say we don’t have one.”
Reinstatement of books
Buckley later agreed to issue a press release on 24 July announcing a review of the policy, which also called for clarity from the Data Protection Commissioner on the issue.
A final email was sent by another OPW staff member that afternoon, announcing that all visitor books should be reinstated with immediate effect.
In another email that evening, Buckley told Kelly and Higgins that he was satisfied that the issue was at “the very bottom scale of risk”.
“Removing the books was too heavy a response and not what Liam [Kelly] had intended triggering,” he said.
“I will take full responsibility for the residual risk involved in putting back the books.”
He added that he did not wish for Kelly to seek clarification from the Data Protection Commissioner, as doing so would complicate the process further, and said he now considered the matter dealt with.
Visitor books have since been reinstated at a number of OPW sites.
To embed this post, copy the code below on your site
have your say